OS X 10.10.2 Challange Response kind of working...not

[ghost]

Hi,

I implemented my new Yubikey into my OS X PAM like described within https://developers.yubico.com/yubico-pam/MacOS_X_Challenge-Response.html

I entered the

auth       sufficient     pam_yubico.so mode=challenge-response debug

line into /etc/pam.d/sudo

That is what I get as Output when I try to sudo:

55-555-1::[20150204-160652]::mT@yg:~
$ sudo -i
Password:
debug: pam_yubico.c:764 (parse_cfg): called.
debug: pam_yubico.c:765 (parse_cfg): flags -2147483648 argc 2
debug: pam_yubico.c:767 (parse_cfg): argv[0]=mode=challenge-response
debug: pam_yubico.c:767 (parse_cfg): argv[1]=debug
debug: pam_yubico.c:768 (parse_cfg): id=-1
debug: pam_yubico.c:769 (parse_cfg): key=(null)
debug: pam_yubico.c:770 (parse_cfg): debug=1
debug: pam_yubico.c:771 (parse_cfg): alwaysok=0
debug: pam_yubico.c:772 (parse_cfg): verbose_otp=0
debug: pam_yubico.c:773 (parse_cfg): try_first_pass=0
debug: pam_yubico.c:774 (parse_cfg): use_first_pass=0
debug: pam_yubico.c:775 (parse_cfg): authfile=(null)
debug: pam_yubico.c:776 (parse_cfg): ldapserver=(null)
debug: pam_yubico.c:777 (parse_cfg): ldap_uri=(null)
debug: pam_yubico.c:778 (parse_cfg): ldapdn=(null)
debug: pam_yubico.c:779 (parse_cfg): user_attr=(null)
debug: pam_yubico.c:780 (parse_cfg): yubi_attr=(null)
debug: pam_yubico.c:781 (parse_cfg): yubi_attr_prefix=(null)
debug: pam_yubico.c:782 (parse_cfg): url=(null)
debug: pam_yubico.c:783 (parse_cfg): urllist=(null)
debug: pam_yubico.c:784 (parse_cfg): capath=(null)
debug: pam_yubico.c:785 (parse_cfg): token_id_length=12
debug: pam_yubico.c:786 (parse_cfg): mode=chresp
debug: pam_yubico.c:787 (parse_cfg): chalresp_path=(null)
debug: pam_yubico.c:829 (pam_sm_authenticate): get user returned: mT
debug: pam_yubico.c:506 (do_challenge_response): Loading challenge from file /Users/mT/.yubico/challenge-3016718
debug: util.c:270 (load_chalresp_state): Challenge: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, salt: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, iterations: 10000, slot: 2
debug: pam_yubico.c:584 (do_challenge_response): Got the expected response, generating new challenge (63 bytes).
debug: pam_yubico.c:664 (do_challenge_response): Challenge-response success!

So, it give me a success at the end, but OS X seems to be really unimpressed by this and still ask me for the password -.-

Where do I go wrong? :/

I already searched for one week, but of course I do also not want to brick my box, by removing password auth from the /etc/pam.d/sudo

It also fails when I try to do the same in the file /etc/pam.d/screensaver :(

Advance Thanks

[klali]

This looks like something else in your pam stack (or OS X always requiring at least password for sudo?) denies the authentication. What is the full contents of the sudo pam.d file?
A good tip when doing this is to keep a terminal with a root shell around, so you know that you can change it back.

[ghost]

Hi Klas,

my sudo pam.d file looks like this:

$ cat sudo
# sudo: auth account password session
auth required pam_opendirectory.so
auth sufficient pam_yubico.so mode=challenge-response debug
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so

I am not aware that there is a setting that will cause this. Here is what I have in the Screensaver pam.d

$ cat screensaver
# screensaver: auth account
auth optional pam_krb5.so use_first_pass use_kcminit
auth required pam_opendirectory.so use_first_pass nullok
auth sufficient pam_yubico.so mode=challenge-response debug
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe

The unlocking of the Screensaver also fails.

Maybe I misconfigured something within this files, but maybe the usage of FileVault hdd encryption cause this.

Advance Thanks

[klali]

You could try putting pam_yubico before the other auth stuff so it executes first. I don't know anything about filevault and how that ties in with pam though..

/klas

[ghost]

I switched the orders in the files, but the result remains the same. If I activate the Screensaver and plugin the Yubikey, the screen still stays locked.

Bye
Michael

[ghost]

SO, a small Update. After changing the order in the sudo pam.d I just need to plugin the key, to make sudo work :)

Anyway, it still do not work for the screensaver. :(

[ghost]

That is what I get, within the system console when I remove the Yubikey, start the Screensaver and than plug in the Yubikey back into the System:

13.02.15 13:24:38,091 com.apple.SecurityServer[55]: Token reader Yubico Yubikey NEO OTP+CCID removed from system
13.02.15 13:24:41,000 kernel[0]: AppleUSBMultitouchDriver::message - kIOUSBMessagePortHasBeenReset.
13.02.15 13:24:41,942 com.apple.SecurityServer[55]: Token reader Yubico Yubikey NEO OTP+CCID inserted into system
13.02.15 13:24:41,943 com.apple.SecurityServer[55]: reader Yubico Yubikey NEO OTP+CCID: state changed 0 -> 34
13.02.15 13:24:41,943 com.apple.SecurityServer[55]: token in reader Yubico Yubikey NEO OTP+CCID cannot be used (error 229)
13.02.15 13:24:42,000 kernel[0]: AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized
13.02.15 13:24:42,401 hidd[71]: MultitouchHID: device bootloaded
13.02.15 13:24:42,000 kernel[0]: AppleUSBMultitouchDriver::_deviceSetReport - DeviceRequest for reportID 0xc8 returned with result 0xe000404f - retrying
13.02.15 13:24:46,799 loginwindow[67]: CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.
13.02.15 13:24:52,086 com.apple.SecurityServer[55]: reader Yubico Yubikey NEO OTP+CCID: state changed 32 -> 18
13.02.15 13:24:54,128 Console[15934]: Failed to connect (_consoleX) outlet from (NSApplication) to (ConsoleX): missing setter or instance variable
13.02.15 13:24:55,291 com.apple.SecurityServer[55]: reader Yubico Yubikey NEO OTP+CCID: state changed 16 -> 34
13.02.15 13:24:55,292 com.apple.SecurityServer[55]: token in reader Yubico Yubikey NEO OTP+CCID cannot be used (error 229)
13.02.15 13:24:57,100 loginwindow[67]: CoreAnimation: warning, deleted thread with uncommitted CATransaction; set CA_DEBUG_TRANSACTIONS=1 in environment to log backtraces.

[ghost]

So, I checked for that Error and found this http://forum.yubico.com/viewtopic.php?f=26&t=1574

Afterwards I Installed the Yubikey NEO Manager and enabled U2F nearly giving me a heart attack, because I thought I just erased everything from my key.

So, now the following is happening. The gibberish that I send up on the top, while I try to run a sudo command is gone. If the Yubikey is plugged, I can run sudo commands when the key is just plugged in.

Now, the messages in the console log are also gone, when I try to unlock the Screensaver with the Yubikey. But it still will not unlock the screensaver.

Anyone Ideas where I could dig next?

ATdHvAaNnKcSe

[ghost]

Run a reboot, sudo still works, screensaver still get:

13.02.15 14:08:28,913 com.apple.SecurityServer[55]: reader Yubico Yubikey NEO OTP+U2F+CCID: state changed 32 -> 18
13.02.15 14:08:32,036 com.apple.SecurityServer[55]: reader Yubico Yubikey NEO OTP+U2F+CCID: state changed 16 -> 34
13.02.15 14:08:32,036 com.apple.SecurityServer[55]: token in reader Yubico Yubikey NEO OTP+U2F+CCID cannot be used (error 229)
13.02.15 14:08:42,448 com.apple.SecurityServer[55]: reader Yubico Yubikey NEO OTP+U2F+CCID: state changed 32 -> 162
13.02.15 14:08:42,449 com.apple.SecurityServer[55]: token in reader Yubico Yubikey NEO OTP+U2F+CCID cannot be used (error 229)

[ghost]

Do I maybe need to install https://smartcardservices.macosforge.org driver to make this work?

[klali]

I think you're simply getting stuck in the fact that the screensaver on OS X is not completely integrated with pam, and disabling password auth for it might be impossible / managed from something completely different.

[ghost]

Okay, it seems so. :(
Maybe Rohos will sometime soon provide a new Version of Rohos Logon Key for OS X, but to be honest, Ido not think, they will move fast on this one.

Thank you anyway :)

At least, I have GPG, sudo and some other Stuff running with my Yubikey :)

[JonnyWhatshisface]

I have it working just fine on Mac OS X with the screensaver, sudo and authorization...Is this still an issue, megatraveler?

[ghost]

Hi Jonny, yes, I just gave up on some point. I can use the key for switching to sudo but I still can not unlock the screen saver with my yubikey. I assume that is maybe because I use FileVault. If you have an idea I would be glad to hear :)

[JonnyWhatshisface]

In my screensaver pam.d auth file (/etc/pam.d/screensaver) - :

screensaver: auth account

auth optional pam_krb5.so use_first_pass use_kcminit
auth required pam_opendirectory.so use_first_pass nullok
auth required pam_yubico.so mode=challenge-response authgroup=yubikey
account required pam_opendirectory.so
account sufficient pam_self.so
account required pam_group.so no_warn group=admin,wheel fail_safe
account required pam_group.so no_warn deny group=admin,wheel ruser fail_safe

Please note that the authgroup=yubikey is specific to my implementation and the fork in my repository. I've submitted a request to merge it. None the less, if you remove the authgroup=yubikey, it should work fine for you provided you have done the following:

Open the YubiKey personalization tool and choose Challenge-Response. Select the MAC-SHA1 option. Then, select Configuration Slot 2. Make sure the "Require user input (button press)" option under the HMAC-SHA1 parameters is UNCHECKED, and ensure Variable Input is selected. Click Generate, then Write Configurations.

After that, do the following:

mkdir -m0700 -p ~/.yubico

Make sure your yubikey is plugged in, and enter the following command:

ykpamcfg -2

It should tell you that it successfully created a file in your home directory under .yubikey (challenge-<serial #>). Then, modify your /etc/pam.d/screensaver as seen above, minus the authgroup= (unless you use my fork). With the current master repo for the PAM module, doing so would require EVERY user have a yubikey to unlock the screen saver. My fork adds the authgroup= which will allow you to specify a group name of users required to have a yubikey. If the user is not in the specified group, it will skip over checking for a key... If you'd prefer that functionality, you won't find it in the current release (yet). I submitted a pull request, though I'm having issues with my editor wanting to automatically correct the indentation of the code without notifying me as I close it... lol

None the less, give this a whirl and let me know if it works out for you. Please keep in mind that this works also for the authorization module (for login). It can work with su and sudo, but you have to ensure you enable tty_tickets - which is disabled on Mac OS X by default (which I find stupid, personally).

[JonnyWhatshisface]

Also, as a side note? Please ensure that when you do the ykpamcfg -2 , you are doing it as the user you wish to bind the key to. If you're sudo'd to root? It will put it in the root home directory, thus, you won't be able to unlock your screensaver because the user running the screensaver won't have a challenge file generated. I did this initially... Luckily, I tested it with the screensaver first, and not authorization. :)